feat: Enhance entropy check and streamline CI process [requires changes]

[arii]

This PR introduces a robust entropy check to confirm changes before re-reviewing. Key features include:

• Summarizes changes between the last two CI runs to reduce noise for reviewers.
• Ensures comprehensive commit and diff examination by checking out the repository with full history using fetch-depth: 0.
• Automates informative PR comments about check statuses to facilitate quicker triage.

Scope Minimization Suggestions:

• Review the necessity of updated visual snapshots, specifically in 'tests/visual.spec.ts-snapshots', and consider removing them if they do not contribute to the functional improvements of this PR.

Fixes #2600

[github-actions]

🚀 Impact Analysis Details (Last updated: Jun 18, 2026, 6:16 PM PST)

✅ Impact Analysis Complete

• Commit SHA: 9e2d17e
• Link to artifacts

Deployment Review

Summary

Impact Level: LOW

📝 Changed Files (12)

• .github/actions/update-pr-comment/action.yml
• .github/workflows/ci.yml
• .github/workflows/jules-fix-trigger.yml
• dev-tools/post-jules-retry-context.sh
• scripts/build-repo-context.py
• scripts/clients/geminiCodeReviewClient.ts
• scripts/clients/githubModelsCodeReviewClient.ts
• scripts/lib/codeReviewOrchestrator.ts
• scripts/lib/codeReviewTypes.ts
• scripts/lib/visualReviewOrchestrator.ts
• scripts/lib/visualReviewTypes.ts
• scripts/lib/visualReviewUtils.ts

Routes Reviewed

No concrete routes required review.

[github-actions]

🚀 Deployment Details (Last updated: Jun 19, 2026, 12:49 PM PST)

🚀 Pushed to gh-pages; publish in progress

• Preview URL: https://arii.github.io/tech-dancer/codex/add-entropy-check-for-pr-resubmission/
• Preview Dashboard: https://arii.github.io/tech-dancer/previews/index.html
• Commit SHA: d61e8c1
• Marker File: verify here

[arii]

ANTI-AI-SLOP\n\n\n## FINDINGS\n

\n\n## FINAL RECOMMENDATION\n<Approved | Approved with Minor Changes | Not Approved>\n\n

Inline Comments (Fallback due to Github line resolution errors)

• :1:

[arii]

Automated Agent Review

ℹ️ Workflow Updates: If modifying actions/setup-node or actions/setup-python, please ensure they are pinned to v6 as per infrastructure requirements.

ℹ️ Tooling/Scripts: Please ensure any Python script changes are covered by pytest and that typescript scripts pass pnpm run test:scripts.

---

This is an automated review generated by Jules.

[arii]

AUTO-AUDIT

FINAL RECOMMENDATION

Approved

[github-actions]

🐙 GitHub Models Code Review

Powered by GitHub Models

Reviewing: PR #2515

Code Review Feedback

High Severity Review

1. Potential Information Disclosure / Security Issue

   • In .github/workflows/jules-fix-trigger.yml, the new step Post Jules retry entropy context runs dev-tools/post-jules-retry-context.sh with GITHUB_TOKEN: ${{ github.token }}. This exposes the default GitHub Actions token to a shell script, which then uses the gh CLI. If the script or any subprocesses are compromised or misused, this token could be leaked or abused. The script does not restrict the scope of the token, nor does it sanitize its output or error handling. This is a high severity security risk.
   • The script also uses gh pr comment and gh api commands, which could potentially post sensitive information to PR comments if the repo context or job states contain secrets or sensitive data.

2. Shell Script Robustness and Token Handling

   • In dev-tools/post-jules-retry-context.sh, the script uses set -euo pipefail, but it does not sanitize or validate all inputs (e.g., PR_NUMBER, WORKFLOW_FILE). If these are manipulated or missing, the script could fail in unpredictable ways.
   • The script creates temporary files for comment bodies but does not always clean them up (e.g., /tmp/jules-retry-context.md). If the script is run concurrently or on a shared runner, this could lead to race conditions or leaking context between runs.

3. Type Safety and Data Validation

   • In scripts/lib/codeReviewOrchestrator.ts and scripts/lib/visualReviewOrchestrator.ts, the code reads and parses JSON files (ci-failure.schema.json, cli-schema.json, and the output of build-repo-context.py) without validating their structure. If these files are malformed or manipulated, this could cause runtime errors or inject unexpected data into the review context. There is no schema validation or type checking for the parsed data.
   • The repoContext is injected as a string into review payloads, but its contents are not sanitized. If the context contains untrusted data, it could be rendered in markdown comments or passed to LLMs, leading to prompt injection or information disclosure.

4. Performance and Resource Usage

   • The shell script (post-jules-retry-context.sh) fetches and processes up to 50 workflow runs and their jobs, and then diffs commits and files. This could be slow and resource-intensive, especially on large repositories or busy PRs. There is no caching or throttling, and the script could be triggered multiple times per PR.

5. Missing Types

   • The TypeScript interfaces (CodeReviewSummary, VisualRouteSummary) now include an optional repoContext?: string, but the actual structure of repoContext is not defined or enforced. This could lead to inconsistent usage and bugs if consumers expect a certain shape.

Actionable Feedback

• Restrict and Sanitize Token Usage: Never pass the default GitHub Actions token to arbitrary shell scripts unless absolutely necessary. If you must, ensure the script cannot leak the token (e.g., by restricting subprocesses, sanitizing logs, and avoiding posting sensitive data to PR comments).
• Validate and Sanitize Data: Always validate the structure of parsed JSON files and sanitize any data before posting it to PR comments or passing it to LLMs. Consider using a schema validator or stricter type checks.
• Clean Up Temporary Files: Ensure all temporary files are deleted after use, and use unique filenames (e.g., via mktemp) to avoid race conditions.
• Define Types for Repo Context: Create a TypeScript interface for the expected structure of repoContext and enforce it throughout the codebase.
• Limit Resource Usage: Consider limiting the number of workflow runs processed, caching results, or throttling the script to avoid excessive resource usage.

Blocking Issue: The security risk of passing the GitHub Actions token to an unsanitized shell script and potentially leaking sensitive information is a blocking issue.

[VERDICT: FAIL]

---

Generated by github-models-code-review

[arii]

The changes made to the workflow and scripts show good intentions to improve the CI process; however, a review of updated visual snapshots is necessary to minimize unnecessary code churn. Please address this concern.

[arii]

@jules-fix-ci

[github-actions]

🤖 Jules is on it!

Initialized autonomous repair session (sessions/15348452966689438058) for branch codex/add-entropy-check-for-pr-resubmission.

[arii]

Automated Review for PR #2515

CI Status: All checks passing.

FINAL RECOMMENDATION

Approved

[arii]

Automated Review for PR #2515

CI Status: All checks passing.

Recommendation: Everything looks good from a CI perspective. Ready for manual review/merge if no other concerns.

FINAL RECOMMENDATION

Approved